You can return to the original look by selecting English in the language selector
above.

Generate and Configure an SSL Certificate for Backend Authentication

You can use API Gateway to generate an SSL certificate and use its public key in
the backend to
verify that HTTP requests to your backend system are from API Gateway. This allows
your HTTP
backend to control and accept only requests originating from Amazon API Gateway, even
if the backend
is publicly accessible.

Note

Some backend servers may not support SSL client authentication as API Gateway does
and could return
an SSL certificate error. For a list of incompatible backend servers, see Amazon API Gateway Important Notes.

The SSL certificates that are generated by API Gateway are self-signed and only the
public key
of a certificate is visible in the API Gateway console or through the APIs.

Generate a Client Certificate Using the API Gateway Console

Optionally, for Edit, choose to add a descriptive title for
the generated certificate and choose Save to save the
description. API Gateway generates a new certificate and returns the new certificate
GUID, along with the PEM-encoded public key.

Before configuring a backend HTTPS server to verify the client SSL certificate of
API Gateway, you must have obtained the PEM-encoded private key and a server-side
certificate
that is provided by a trusted certificate authority.

If the server domain name is myserver.mydomain.com, the server
certificate's CNAME value must be myserver.mydomain.com or
*.mydomain.com.

As an example, suppose that the client certificate file is apig-cert.pem
and the server private key and certificate files are server-key.pem and
server-cert.pem, respectively, For a Node.js server in the backend, you
can configure the server similar to the following:

Rotate an Expiring Client Certificate

The client certificate generated by API Gateway is valid for 365 days. You must rotate
the
certificate before a client certificate on an API stage expires to avoid any downtime
for the API. You can check the expiration date of certificate by calling clientCertificate:by-id of the API Gateway REST API or the AWS CLI command of
get-client-certificate and inspecting the returned expirationDate property.